Debian Server Base Configuration

Introduction
This document covers initial configuration of a newly installed Debian GNU/Linux system, currently based on Debian 7 (Wheezy). It presumes no options were selected during Tasksel.

Install SSH
Update and then install ssh.

apt-get update apt-get install --no-install-recommends ssh

Then connect via SSH from a workstation and continue the rest of the install by first installing some extra SSH recommends

apt-get install --no-install-recommends tcpd openssh-blacklist openssh-blacklist-extra

APT Configuration
aptitude and apt-get will keep track of each other (except for held packages) so you can use both, but you should choose one and stick to it. I use apt-get for software management and aptitude for various things such as the command.

Disable Recommends
Disable recommended packages installing by default by creating the file with the following content.

Then update apt-get again.

apt-get update

Backports
Using Debian backports might also be useful.

cat > /etc/apt/sources.list.d/wheezy-backports.list <<EOF deb http://mirror.internode.on.net/pub/ debian/ wheezy-backports main non-free contrib deb-src http://mirror.internode.on.net/pub/ debian/ wheezy-backports main non-free contrib EOF

You and then install backport packages using apt-get's --target-release option, e.g.

apt-get update apt-get install -t wheezy-backports linux-image-amd64 linux-headers-amd64

Utilities
Now install some useful apt tools (and recommended packages), Search the web for infromation on them or use if you want to know more.

apt-get install deborphan debfoster apt-file python-apt lsb-release file iso-codes dialog \ cruft apt-rdepends reportbug apt-show-versions dctrl-tools

Optional: If you would like to review bug reports related to packages before they are installed you can use apt-listbugs

apt-get install apt-listbugs

Then update apt-file or simply run if you used the tip above.

apt-file update

Multi-Arch
Optionally add extra architecture repositories if required. For example to add i386 to an AMD64 system

dpkg --add-architecture i386

Check architectures by running...

Editor and Pager
apt-get install vim vim-doc vim-scripts vim-addon-manager less

Select default text editor by selecting /usr/bin/vim.basic in the update-alternatives dialogue as follows.

Networking
Because the Debian installer may have configured our system to get it's network settings via DHCP or added some un-required details if configured statically, we change it to fit our requirements (in this example the IP address 192.0.2.1 is used).

Edit

auto lo iface lo inet loopback auto eth0 iface eth0 inet static address 192.0.2.1 netmask 255.255.255.0 gateway 192.0.2.254
 * 1) This file describes the network interfaces available on your system
 * 2) and how to activate them. For more information, see interfaces(5).
 * 1) The loopback network interface
 * 1) The primary network interface

Then restart networking.

nohup sh -c "ifdown eth0 && ifup eth0"

You will need to reconnect your SSH session on the new IP unless you configure the network settings via the console.

Hostname
Edit substituting the computers hostname where applicable.

127.0.0.1    localhost.localdomain    localhost 192.0.2.1    debian.example.local  debserver ::1    ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters ff02::3 ip6-allhosts
 * 1) The following lines are desirable for IPv6 capable hosts

Now run...

echo debserver.example.local > /etc/hostname invoke-rc.d hostname.sh start

Afterwards check the hostname and fqdn are correct.

Firmware
Install the latest firmware packages to support your hardware. You are free to exclude any you don't need, I just install all of the available firmware to save headaches if the server has to be moved/restored to new hardware for example.

apt-file update apt-get update apt-get install firmware-linux firmware-linux-nonfree

Running the following command will list the available firmware:

apt-file --package-only search /lib/firmware/

If you want to install all firmware you can run:

apt-get install $(apt-file --package-only search /lib/firmware/ | tr '\n' ' ')

Software
Base software to install.

apt-get install htop build-essential module-assistant linux-headers- amd64 \ tofrodos dosfstools fakeroot hdparm ntfs-3g rsync dkms bash-doc hwdata unp psmisc \ bzip2 p7zip rar unrar unzip zip p7zip-full lzop lzip lzma ntp fontconfig lshw \ hwinfo syslinux dnsutils sshfs screen telnet lsof bash-completion parted gdisk atop \ ca-certificates

Bash
The Bash Section on this wiki includes example Bash startup files

Security
On servers, root SSH access is disallowed so I setup an "admin" user with sudo rights.

apt-get install sudo

Add a standard user with sudo access

useradd --comment "Admin Account" --groups sudo --create-home --shell /bin/bash --user-group myuser passwd myuser

Or if you have an existing user account

gpasswd -a myuser sudo

Logon as your new user via SSH and edit

Alter PermitRootLogin to no

PermitRootLogin no

Save the file, exit and restart SSH

sudo invoke-rc.d ssh restart

You might also like to use the rootpw option for sudo which prompts sudo users for the root password instead of their own. If so create the file by executing the following command:

sudo visudo -f /etc/sudoers.d/rootpw

Insert the following into the file and save it.

Defaults       rootpw

Virtual Machine Requirements
The following needs to be done running as a Virtual Machine.

Disable CTRL+ALT+DEL on console
Disable CTRL-ALT-DEL (reboot) to prevent Windows Admins rebooting the server accidentally.

sudo vi /etc/inittab

Locate and comment out the following line e.g.


 * ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now"

VMware Tools
Debian comes with open-vm-tools. if you'd like to use them follow these instructions.

sudo apt-get install build-essential linux-headers- amd64 dkms sudo apt-get install open-vm-dkms open-vm-tools ethtool zerofree reboot && exit

Or to install VMWare's tools...

sudo apt-get install build-essential linux-headers-$(uname -r)

Login to the console of the VM and mount the cdrom

sudo mount /dev/sr0 /media/cdrom cp /media/cdrom/ vmwaretools .tar.gz /tmp/ cd /tmp/ tar -xvzf vmwaretools .tar.gz cd vmware-tools-distrib sudo .vmware-install.pl

Hit Enter to all prompts with the excpetion of the VM Sync driver which you may like to use.

Repeated Characters Fix
See the following link to resolve Repeated characters when typing in remote console

atime and diratime
Edit and add noatime and optionally nodiratime to it. For example...

 UUID=303a3234-0ba0-4779-ad1b-4d3bd095a224 / ext4 noatime,nodiratime,errors=remount-ro 0 1

Then reboot.

TTY Scrollback Buffer
To increase the TTY Scrollback see TTY Scrollback Buffer Size